An early generation of implantable cardioverter-defibrillators, “ICDs” had one programmable function: on and off. The modern version of the device has dozens of programmable parameters. In fact, it is now not uncommon for physicians who regularly use such devices to not be fully versed in all of the possible programming complexities of the devices that they implant. Furthermore, the optimal value of some programmable parameters cannot be known at the time of device implantation. Physicians will not uncommonly guess at the values to be programmed for anti-tachycardia pacing, because they may not be able to accurately reproduce the tachycardia that a patient may later have. It is therefore not uncommon for physicians to reprogram such parameters, weeks, months or years later, after the occurrence of the actual event showed that they had not guessed well. Occasionally, the examples are striking A patient, for example with an ICD and both ventricular tachycardia and atrial fibrillation may get not just one but quite a few inappropriate defibrillator shocks, because of an inappropriately selected programmed rate cutoff, stability parameter, etc. The opposite sort of phenomenon may also occur. For example, a patient with known ventricular tachycardia, “VT”, at 200 beats per minute, “bpm”, may have the VT detect rate of an ICD programmed to 180, and may later collapse because of an unexpected episode of VT below the rate cutoff.
Occasionally, the malfunctioning of an implanted device can have very serious consequences. The Ventritex V-110 defibrillator at one point had a failure mode which resulted in the sudden death of at least one patient. The “fix” for it, was a programming fix, wherein the downloading of certain instructions prevented the device from being subject to this malfunction.
The explosive growth of modern communication systems allows for the possibility of remote supervision and management of implantable devices, and addressing of the aforementioned problems. An ICD which may be providing numerous inappropriate shocks over a short time period—either due to device malfunction, lead malfunction or inappropriate programming of a properly functioning system, could be remotely identified and reprogrammed, for example.
A variety of other devices which perform critical functions which remote control could enhance. These include cardiac pumps, insulin pumps, brain stimulating devices and others.
There are certain requirements that must be fulfilled if some of the autonomy of device function is to be impinged on. Remote control over a faulty communication link could create problems instead of solving them, so reliability of communications, careful communication monitoring, redundancy and contingency planning, are all features of a remotely controllable implantable device. Since the communication process uses battery power, judicious power management is also a necessity.
Since the gaining of access to IMD control by an inappropriate or non-authorized person may have major or dire consequences, it is of value to prevent system access by any such inappropriate person.
One approach to the problem is simply to require an alphanumeric user identification. Such an approach has the obvious limitation of easily breached device security, upon loss, theft, or other unintended acquisition of the device access information.
A more secure approach is requiring the user to input a “biologic identifier”—e.g. a fingerprint, an iris pattern, retinal blood vessel pattern, palm or finger blood vessel pattern, facial image, voice or voice print, etc. These too can be “hacked”, since it is possible to obtain such biologic identification without the agreement of the person whose identification is purloined.
A still more secure approach, presented herein relies on more secure systems of user identification.